Banks Awakening to Dangers of E-mail After Epsilon Breach

Perhaps the most critical thing bankers have learned from the breach at Epsilon, the email marketing unit of Alliance Data Systems Corp. of Plano, Texas, is that there is no such thing as "low-value" information anymore. All stolen information is worth its virtual weight in gold.

Armed with email addresses and bank affiliations, hackers in the months to come are likely to use the information to create not only the highly targeted spear-phishing campaigns that many have predicted — they will also use it to construct more sophisticated assaults on higher-value corporate accounts and to infect corporate networks.

Even banks that don't have a relationship with Epsilon expressed alarm at the potential fallout.

"What concerns us is if our customers come to the banking site, after getting a [fake] message from an [affected] provider they have a relationship with, and they've clicked on a link that's put malicious software on their computers that collects their banking information," said Sam Vallandingham, the chief information officer and vice president of First State Bank of Barboursville, W.Va.

"The lesson here is that personally identifiable information, email addresses and names of financial institutions, has to be protected just as routing numbers, checking account or debit card numbers currently are," said Philip J. Blank, senior analyst for security, risk and fraud at Javelin Strategy and Research.

Regulation and oversight could be supplied by financial services companies themselves, independent auditors, a governmental group, or the combination of all three.

"There has to be proactive governance, and a risk-and-compliance model" for consumers' personal information, Blank said.

The issue has concerned bank security providers as well.

"Social engineering is the future of these attacks," said Mickey Boodaei, the chief executive of Trusteer Ltd. of Tel Aviv, Israel.

"We will see fraudsters targeting computers inside the bank and trying to find ways inside the network to get to customer information."

Hackers might also work their way into bank databases by targeting bank employees with social engineering scams.

"If they manage to get to employees who manage the website or database, from there they can control the bank's Web application," Boodaei said.

Experts said that the magnitude of the break-in will increase as targeted spear-phishing campaigns morph into so-called advanced persistent threats and other attacks.

Banks also have to contend with the possible consequences of a March breach at EMC Corp.'s RSA Security, which many banks rely on for authentication.

"We can expect that the elevated risks will be with us for quite some time to come," said Julie Conroy McNelley, senior risk and fraud analyst at Aite Group LLC.

McNelley said that by using social networks that combine consumers' names with plentiful data about their jobs, titles and responsibilities, "criminals can ferret out a lot of information about someone with just an email as a starting point, and can combine that with social engineering to craft a very sophisticated attack."

Advanced persistent threats are highly focused attacks that typically target a single aspect of a company's infrastructure. Experts said that fraudsters will likely use stolen email addresses to gather more data from sites like LinkedIn to craft highly focused campaigns against corporate accounts because there is potentially more money involved.

"You will see low-volume, very targeted messages that won't trigger firewalls or intrusion-prevention systems; [phishers] will not send 1,000 emails at once," said Dave Jevans, the chairman and founder of IronKey Inc. of Sunnyvale, Calif.

He suggested that banks could identify customers to vendors using shortened account numbers. The vendors could request the rest of the information as needed, deleting it after use.

Trusteer recently ran a test of 100 consumers to see how likely they would be to click on links to infected pages when they were sent an alert about a change in status for one of their LinkedIn contacts.

Trusteer said it spent less than one day sorting through its test subjects' connections on the social media site, and constructed a fake alert that would redirect users to a dummy website, representing a site a hacker might infect with malware.

Trusteer found that 41% of the test group arrived at the fake page within 24 hours, and more than half showed up within two days. Nearly 70% arrived at the page within a week.

"This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer," Trusteer said in its blog post Wednesday.

Still, experts said there are best practices that banks can use with their own data as well as when they work with third-party providers, as most every bank does.

Indeed, a number of financial services companies that worked with Epsilon were not impacted by the breach.

For example, Visa Inc., which works with Epsilon for marketing around its Visa Extras program, said it managed to avoid the breach by maintaining different systems for its customer data.

In an email, Visa told American Banker that "all the databases, applications and servers maintained by Epsilon for the Visa Extras program have always been completely separate systems, and thus were not in any way involved in the March 30th incident."

Beyond separate systems, the most critical best practice is encryption of data at rest, McNelley said.

This practice "makes it very difficult for the data to be compromised even if the perimeter is penetrated," McNelley said.

Though First State is a small bank, with $250 million of assets, Vallandingham says First State encrypts its customer data while it is at rest as well as while its being transmitted. First State also encrypts its own email and uses software to prevent data from being leaked through storage devices attached to its computers' USB ports.

Avivah Litan, a vice president and distinguished analyst at Gartner Inc., said it would also be helpful for banks to create stronger access controls around personal data as well as "monitoring activity around sensitive data access, and making sure access is blocked on suspect transactions."

Should hackers slip under intrusion-detection systems, "there are solutions that reside at the network level of a company and monitor the activity … to determine whether the data is leaving," McNelley said, adding that applying behavioral analysis tools to network activity, and continuously scanning for any abnormal behavior, would also be useful.